PHP :: Bug #28875 :: Wrong regex crashes server

Bug #28875

Wrong regex crashes server

Submitted:

2004-06-21 22:58 UTC

Modified:

2004-07-15 01:00 UTC

Votes:	2
Avg. Score:	3.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

amoljak at cox dot net

Assigned:

Status:

No Feedback

Package:

PCRE related

PHP Version:

4.3.8-dev

OS:

Windows 2000 Server

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	amoljak at cox dot net
New email:
PHP Version:		OS:

New/Additional Comment:

[2004-06-21 22:58 UTC] amoljak at cox dot net

Description:
------------
Note the extra ] in the regex. Try to load this page three times and it will crash the third time.

Reproduce code:
---------------
<?php

$filecontent = "my name is amol";
$regex = "/(^|[^a-zA-Z0-9-])([Nn]on[-s? []]]degrees? [Ss]tudents?)([^a-zA-Z0-9-]|$)/es";

//preg_match_all($regex, $filecontent , $matches, PREG_OFFSET_CAPTURE);
preg_match($regex, $filecontent , $matches, PREG_OFFSET_CAPTURE);
print "matches = $matches<br>";

?>


Expected result:
----------------
This is from end user's code and I don't know what he expected. But he was able to crash the server... thats bad.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-06-22 00:45 UTC] iliaa@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

[2004-06-22 01:24 UTC] amoljak at cox dot net

I tried PHP 4.3.8-dev and it is not crashing. So I am closing the bug. I will reopen if it occures on the machine I initially tried.

Thanks

[2004-06-22 18:06 UTC] amoljak at cox dot net

Ok.. It crashes on two servers

And on the third machine it gives the following warning:
Warning: Compilation failed: internal error: code overflow at offset 72 in C:\work\servers\Apache2\htdocs\test\PHP\crashtest.php on line 7

(line 7 is the preg_match thing)
But it does not crash. The php.ini options are the same.

Thanks,
Amol

[2004-07-06 15:58 UTC] sniper@php.net

What's the difference in the 3rd server to the 2 others..?
And are you aware that PCRE has certain limitations what it can handle and what not?

[2004-07-06 18:34 UTC] scottmacvicar at ntlworld dot com

[root@devbox scott]# php -v
PHP 4.3.8-dev (cli) (built: Jul  6 2004 17:26:46)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies

[root@devbox scott]# uname -a
Linux devbox 2.4.20-31.9 #1 Tue Apr 13 18:04:23 EDT 2004 i686 athlon i386 GNU/Linux

#0  0x4207491d in _int_free () from /lib/tls/libc.so.6
#1  0x42073908 in free () from /lib/tls/libc.so.6
#2  0x080bac88 in php_pcre_compile (pattern=0x82e8fa4 "(^|[^a-zA-Z0-9-])([Nn]on[-s? []]]degrees?[Ss]tudents?)([^a-zA-Z0-9-]|$)", 
    options=4, errorptr=0xbfffc264, erroroffset=0xbfffc268, tables=0x82e8160 "")
    at /usr/local/src/php-4.3.8-dev/ext/pcre/pcrelib/pcre.c:5088
#3  0x080c1270 in pcre_get_compiled_regex (
    regex=0x82e04cc "/(^|[^a-zA-Z0-9-])([Nn]on[-s? []]]degrees?[Ss]tudents?)([^a-zA-Z0-9-]|$)/es", extra=0xbfffc358, 
    preg_options=0xbfffc35c) at /usr/local/src/php-4.3.8-dev/ext/pcre/php_pcre.c:257
#4  0x080c1513 in php_pcre_match (ht=137265364, return_value=0x82e8114, this_ptr=0x0, return_value_used=0, global=0)
    at /usr/local/src/php-4.3.8-dev/ext/pcre/php_pcre.c:391
#5  0x080c1e59 in zif_preg_match (ht=4, return_value=0x82e8114, this_ptr=0x0, return_value_used=0)
    at /usr/local/src/php-4.3.8-dev/ext/pcre/php_pcre.c:594
#6  0x0816d836 in execute (op_array=0x82e3f14) at /usr/local/src/php-4.3.8-dev/Zend/zend_execute.c:1635
#7  0x08160ef9 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php-4.3.8-dev/Zend/zend.c:891
#8  0x0813ae67 in php_execute_script (primary_file=0xbfffe9d0) at /usr/local/src/php-4.3.8-dev/main/main.c:1731
#9  0x081724c7 in main (argc=2, argv=0xbfffea54) at /usr/local/src/php-4.3.8-dev/sapi/cli/php_cli.c:822
#10 0x42015704 in __libc_start_main () from /lib/tls/libc.so.6

[2004-07-15 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2007-05-13 23:06 UTC] nospam at nihonbunka dot com

This seems very similar to the PCRE bug December 2003 No. 14
http://sourceforge.net/project/shownotes.php?release_id=469336&group_id=10194)
"Bug fixes include:
...
14. A pattern such as /[ab]{1,3}+/ failed to compile, giving the error
"internal error: code overflow...". This applied to any character class
that was followed by a possessive quantifier."

The above is essentially a "this is a solution" (not that I have solved it). Why is it not a good idea to post solutions? Is this bug tracker only to help cure the latest stable versions of php? There are many people using older versions, that want to know how to make the older versions of php work. It is with them in mind that I humbly submit this suggestion - to update PCRE. 

Thank you for php.
Tim

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 23 06:01:30 2024 UTC